Surprise Exception Handlers

18
Surprise Exception Handlers Peter Ferrie Senior Anti-virus Researcher 11 June, 2008 1

description

Surprise Exception Handlers. Peter Ferrie Senior Anti-virus Researcher 11 June, 2008. 1. Corrupted!. A program that causes this message to appear: would probably be considered corrupted and not worthy of attention. 2. Peter Ferrie, Microsoft Corporation. Empty!. - PowerPoint PPT Presentation

Transcript of Surprise Exception Handlers

Page 1: Surprise Exception Handlers

Surprise Exception Handlers

Peter FerrieSenior Anti-virus Researcher

11 June, 2008

1

Page 2: Surprise Exception Handlers

Corrupted!

A program that causes this message to appear:

would probably be considered corrupted and not worthy of attention.

2Peter Ferrie, Microsoft Corporation

Page 3: Surprise Exception Handlers

Empty!

Especially if it looks like this…

3Peter Ferrie, Microsoft Corporation

Page 4: Surprise Exception Handlers

Empty!

4Peter Ferrie, Microsoft Corporation

Entry Point

Page 5: Surprise Exception Handlers

Empty!

5Peter Ferrie, Microsoft Corporation

C3 RET

Page 6: Surprise Exception Handlers

Empty!

So the main file does nothing.If we assume that the structure is normal,

then we could check the import table.Just in case.

6Peter Ferrie, Microsoft Corporation

Page 7: Surprise Exception Handlers

Empty!

7Peter Ferrie, Microsoft Corporation

SEH.DLL

Page 8: Surprise Exception Handlers

Empty!

8Peter Ferrie, Microsoft Corporation

a

Page 9: Surprise Exception Handlers

Empty!

So the search moves to SEH.DLL,and the mysterious function called ‘a’.

9Peter Ferrie, Microsoft Corporation

Page 10: Surprise Exception Handlers

‘A’ function

10Peter Ferrie, Microsoft Corporation

Page 11: Surprise Exception Handlers

Failure To Launch

CODE:00401000 push esiCODE:00401001 xor esi, esiCODE:00401003 lods dword ptr fs:[esi]CODE:00401005 inc eaxCODE:00401006CODE:00401006 loc_401006:CODE:00401006 dec eaxCODE:00401007 xchg eax, esiCODE:00401008 lodsdCODE:00401009 inc eaxCODE:0040100A jnz short loc_401006CODE:0040100C mov dword ptr [esi], offset sub_401014CODE:00401012 pop esi

At this point, eax is zero, which means a load failure.A DLL that fails to load causes the message to appear.

11Peter Ferrie, Microsoft Corporation

Page 12: Surprise Exception Handlers

I’m OK, You’re OK

But what happens when we click on ‘OK’?

12Peter Ferrie, Microsoft Corporation

Page 13: Surprise Exception Handlers

Surprise!

13Peter Ferrie, Microsoft Corporation

Page 14: Surprise Exception Handlers

Not OK

The code runs.

14Peter Ferrie, Microsoft Corporation

Page 15: Surprise Exception Handlers

How Did That Happen?

Let’s revisit the code:

CODE:00401001 xor esi, esiCODE:00401003 lods dword ptr fs:[esi]CODE:00401005 inc eaxCODE:00401006CODE:00401006 loc_401006:CODE:00401006 dec eaxCODE:00401007 xchg eax, esiCODE:00401008 lodsdCODE:00401009 inc eaxCODE:0040100A jnz short loc_401006CODE:0040100C mov dword ptr [esi], offset sub_401014CODE:00401012 pop esi

15Peter Ferrie, Microsoft Corporation

Page 16: Surprise Exception Handlers

Not OK

A standard search and replace of the topmost SEH handler.Why does it work?

The secret is in what Windows does after the DLL refuses to load.First comes the call to NtRaiseHardError() to display the message.

However, next comes a called to RtlRaiseStatus().This is intended to notify a debugger of the problem.

RtlRaiseStatus() calls NtRaiseException().Which raises an exception.

Which, without a debugger, calls the topmost SEH handler.Which is now inside the DLL that was supposed to have terminated.

16Peter Ferrie, Microsoft Corporation

Page 17: Surprise Exception Handlers

Not OK

Nothing significant has changed in the process environment.So the DLL is free to run normally.

So is the EXE, if it wants to.This technique works only for statically-linked DLLs.LoadLibrary() failures do not call the SEH handler.

17Peter Ferrie, Microsoft Corporation

Page 18: Surprise Exception Handlers

Really Not OK

Just a little something to add to the workload.

18Peter Ferrie, Microsoft Corporation